From unknown Sun Jun 22 17:08:36 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#8683 <8683@debbugs.gnu.org> To: bug#8683 <8683@debbugs.gnu.org> Subject: Status: printf out-of-bounds memory access Reply-To: bug#8683 <8683@debbugs.gnu.org> Date: Mon, 23 Jun 2025 00:08:36 +0000 retitle 8683 printf out-of-bounds memory access reassign 8683 coreutils submitter 8683 Paul Marinescu severity 8683 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Tue May 17 11:31:54 2011 Received: (at submit) by debbugs.gnu.org; 17 May 2011 15:31:54 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QMMFV-0002Ys-QG for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:53 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QMMFT-0002Yg-HF for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QMMFN-0003K6-FO for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:46 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:40791) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QMMFN-0003K2-Dl for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:45 -0400 Received: from eggs.gnu.org ([140.186.70.92]:40852) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QMMFM-00074A-J2 for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QMMFL-0003Jo-Uo for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:44 -0400 Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:41447) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QMMFL-0003Jf-Qq for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:43 -0400 Received: from indomitable.doc.ic.ac.uk ([146.169.7.18]) by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1QMMFI-00076x-Qt; Tue, 17 May 2011 16:31:40 +0100 Message-ID: <4DD294DC.9050006@imperial.ac.uk> Date: Tue, 17 May 2011 16:31:40 +0100 From: Paul Marinescu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: bug-coreutils@gnu.org Subject: printf out-of-bounds memory access Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IC-MsgID: 1QMMFI-00076x-Qt X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -6.1 (------) X-Debbugs-Envelope-To: submit Cc: Cristian Cadar X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.1 (------) In coreutils 8.12 (latest), printf can make an out-of-bounds access when an integer argument consists only of a single or double quote. The printf spec mentions that an integer argument consisting of a single/double quote followed by a character is interpreted as the ASCII value of that character. However, when the quote is alone, the code in the STRTOX macro (printf.c:171) goes beyond the buffer associated with the argument. Possible fix: report an error at printf.c:166 if ch is 0. Paul From debbugs-submit-bounces@debbugs.gnu.org Tue May 17 11:56:16 2011 Received: (at 8683) by debbugs.gnu.org; 17 May 2011 15:56:16 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QMMd5-00036W-WA for submit@debbugs.gnu.org; Tue, 17 May 2011 11:56:16 -0400 Received: from mail1.slb.deg.dub.stisp.net ([84.203.253.98]) by debbugs.gnu.org with smtp (Exim 4.69) (envelope-from ) id 1QMMd3-00036J-VG for 8683@debbugs.gnu.org; Tue, 17 May 2011 11:56:14 -0400 Received: (qmail 50903 invoked from network); 17 May 2011 15:56:07 -0000 Received: from unknown (HELO ?192.168.2.25?) (84.203.137.218) by mail1.slb.deg.dub.stisp.net with SMTP; 17 May 2011 15:56:07 -0000 Message-ID: <4DD29A3F.6050908@draigBrady.com> Date: Tue, 17 May 2011 16:54:39 +0100 From: =?ISO-8859-1?Q?P=E1draig_Brady?= User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: Paul Marinescu Subject: Re: bug#8683: printf out-of-bounds memory access References: <4DD294DC.9050006@imperial.ac.uk> In-Reply-To: <4DD294DC.9050006@imperial.ac.uk> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 8683 Cc: 8683@debbugs.gnu.org, Cristian Cadar X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) On 17/05/11 16:31, Paul Marinescu wrote: > In coreutils 8.12 (latest), printf can make an out-of-bounds access when > an integer argument consists only of a single or double quote. > > The printf spec mentions that an integer argument consisting of a > single/double quote followed by a character is interpreted as the ASCII > value of that character. However, when the quote is alone, the code in > the STRTOX macro (printf.c:171) goes beyond the buffer associated with > the argument. > > Possible fix: report an error at printf.c:166 if ch is 0. Good catch! We'll apply something like the following which results in: $ ./printf "%d\n" '"a"' ./printf: warning: ": character(s) following character constant have been ignored 97 $ ./printf "%d\n" '"a' 97 $ ./printf "%d\n" '"' ./printf: ": expected a numeric value 0 $ ./printf "%d\n" 'a' ./printf: a: expected a numeric value 0 cheers, Pádraig. diff --git a/src/printf.c b/src/printf.c index e05947c..22a85e7 100644 --- a/src/printf.c +++ b/src/printf.c @@ -160,7 +160,7 @@ FUNC_NAME (char const *s) \ char *end; \ TYPE val; \ \ - if (*s == '\"' || *s == '\'') \ + if ((*s == '\"' || *s == '\'') && *(s+1)) \ { \ unsigned char ch = *++s; \ val = ch; \ From debbugs-submit-bounces@debbugs.gnu.org Tue May 17 19:57:29 2011 Received: (at 8683-done) by debbugs.gnu.org; 17 May 2011 23:57:29 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QMU8n-0005YR-Dw for submit@debbugs.gnu.org; Tue, 17 May 2011 19:57:29 -0400 Received: from mail1.slb.deg.dub.stisp.net ([84.203.253.98]) by debbugs.gnu.org with smtp (Exim 4.69) (envelope-from ) id 1QMU8k-0005YE-6g for 8683-done@debbugs.gnu.org; Tue, 17 May 2011 19:57:27 -0400 Received: (qmail 32578 invoked from network); 17 May 2011 23:57:19 -0000 Received: from unknown (HELO ?192.168.2.25?) (84.203.137.218) by mail1.slb.deg.dub.stisp.net with SMTP; 17 May 2011 23:57:19 -0000 Message-ID: <4DD30B06.8060808@draigBrady.com> Date: Wed, 18 May 2011 00:55:50 +0100 From: =?ISO-8859-1?Q?P=E1draig_Brady?= User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 Subject: Re: bug#8683: printf out-of-bounds memory access References: <4DD294DC.9050006@imperial.ac.uk> <4DD29A3F.6050908@draigBrady.com> In-Reply-To: <4DD29A3F.6050908@draigBrady.com> X-Enigmail-Version: 1.0.1 Content-Type: multipart/mixed; boundary="------------070103000201020506000708" X-Spam-Score: -2.0 (--) X-Debbugs-Envelope-To: 8683-done Cc: 8683-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.0 (--) This is a multi-part message in MIME format. --------------070103000201020506000708 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit On 17/05/11 16:54, Pádraig Brady wrote: > On 17/05/11 16:31, Paul Marinescu wrote: >> In coreutils 8.12 (latest), printf can make an out-of-bounds access when >> an integer argument consists only of a single or double quote. I'll apply the attached fix soon. thanks again, Pádraig. --------------070103000201020506000708 Content-Type: text/x-patch; name="printf-oob.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="printf-oob.diff" >From 4d8f6b9f5716077bd423b98324547087f485425e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Wed, 18 May 2011 00:01:55 +0100 Subject: [PATCH] printf: fix an out-of-bounds memory access * src/printf.c (STRTOX): Don't access memory after a string containing a single quote character. * tests/misc/printf: Add tests for various combinations of single quote characters combined with a numeric format. * THANKS.in: Add bug reporter. * NEWS: Mention the fix. Reported-by: Paul Marinescu --- NEWS | 5 +++++ THANKS.in | 1 + src/printf.c | 2 +- tests/misc/printf | 23 +++++++++++++++++++++++ 4 files changed, 30 insertions(+), 1 deletions(-) diff --git a/NEWS b/NEWS index 7a7f761..88593ab 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,11 @@ GNU coreutils NEWS -*- outline -*- * Noteworthy changes in release ?.? (????-??-??) [?] +** Bug fixes + + printf '%d' '"' no longer accesses out-of-bounds memory in the diagnostic. + [bug introduced in sh-utils-1.16] + ** New features split accepts a new --filter=CMD option. With it, split filters output diff --git a/THANKS.in b/THANKS.in index 3156834..9120ba3 100644 --- a/THANKS.in +++ b/THANKS.in @@ -449,6 +449,7 @@ Patrick Mauritz oxygene@studentenbude.ath.cx Paul D. Smith psmith@gnu.org Paul Ghaleb paul.ghaleb@st.com Paul Jarc prj@po.cwru.edu +Paul Marinescu paul.marinescu@imperial.ac.uk Paul Nevai nevai@ops.mps.ohio-state.edu Paul Sauer paul@alexa.com Paul Slootman paul@debian.org diff --git a/src/printf.c b/src/printf.c index e05947c..24070b8 100644 --- a/src/printf.c +++ b/src/printf.c @@ -160,7 +160,7 @@ FUNC_NAME (char const *s) \ char *end; \ TYPE val; \ \ - if (*s == '\"' || *s == '\'') \ + if ((*s == '\"' || *s == '\'') && *(s + 1)) \ { \ unsigned char ch = *++s; \ val = ch; \ diff --git a/tests/misc/printf b/tests/misc/printf index 6404761..8f5f7d4 100755 --- a/tests/misc/printf +++ b/tests/misc/printf @@ -96,4 +96,27 @@ EOF compare out exp || fail=1 +# Verify handling of single quote chars + +"$prog" '%d\n' '"a' >out 2>err # valid +"$prog" '%d\n' '"a"' >>out 2>>err # invalid +"$prog" '%d\n' '"' >>out 2>>err # invalid +"$prog" '%d\n' 'a' >>out 2>>err # invalid + +cat < exp +97 +97 +0 +0 +EOF + +cat < exp_err +$prog: warning: ": character(s) following character constant have been ignored +$prog: ": expected a numeric value +$prog: a: expected a numeric value +EOF + +compare out exp || fail=1 +compare err exp_err || fail=1 + Exit $fail -- 1.7.4 --------------070103000201020506000708-- From unknown Sun Jun 22 17:08:36 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 15 Jun 2011 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator